dos and don ts of client authentication on the web
play

Dos and Donts of Client Authentication on the Web Kevin Fu - PowerPoint PPT Presentation

Mar 09, 2023 •120 likes •1.12k views

Dos and Donts of Client Authentication on the Web Kevin Fu UMass-Amherst Department of Computer Science www.cs.umass.edu Based on USENIX Security 2001 paper by same name. Versions of this talk were given several times. History on:

  1. Dos and Don’ts of Client Authentication on the Web Kevin Fu UMass-Amherst Department of Computer Science www.cs.umass.edu Based on USENIX Security 2001 paper by same name. Versions of this talk were given several times. History on: http://www.cs.umass.edu/~kevinfu/talks.html

  4. What this talk is about • Improving the security of client authentication on the Web

  5. Where are we now? • We have HTTP authentication

  6. Where are we now? • We have HTTP authentication • We’ve had SSL for nearly a decade

  7. Where are we now? • We have HTTP authentication • We’ve had SSL for nearly a decade • Client authentication should be easy, right?

  8. Many Web sites get it wrong Site Security problem WSJ.com crypto misuse, secret key exposed tiffany.com SQL injection opentable.com guessable user IDs cooking.com guessable user IDs SprintPCS.com leaks authenticator in plaintext FatBrain.com predictable session ID HighSchoolAlumni.com circumvent password authentication PerformanceBike.com predictable session ID ihateshopping.net circumvent password authentication

  10. Toolkits are vulnerable too Toolkit Security problem BlueMartini missing authentication check Allaire ColdFusion predictable session IDs, LCNG ArsDigita ACS signs ambiguous messages Jakarta TomCat predictable session IDs, random seed PHP session IDs based on time of day

  11. How is it done? So how do Web sites implement user authentication?

  12. Cookies: what are they? • A Web server can store key/value pairs on a client • The browser resends cookies in subsequent requests to the server • Cookies can implement login sessions

  13. Sample cookie domain .wsj.com Path /cgi SSL? FALSE Expiration 941452067 Variable name fastlogin Value bitdiddleMaRdw2J1h6Lfc

  14. Cookies for login sessions Web browser Web server POST /login.cgi 1

  15. Cookies for login sessions Web browser Web server POST /login.cgi 1 "Welcome in" Web page Set − Cookie: authenticator 2

  16. Cookies for login sessions Web browser Web server POST /login.cgi 1 "Welcome in" Web page Set − Cookie: authenticator 2 GET /restricted/index.html Cookie: authenticator 3

  17. Cookies for login sessions Web browser Web server POST /login.cgi 1 "Welcome in" Web page Set − Cookie: authenticator 2 GET /restricted/index.html Cookie: authenticator 3 Content of restricted page 4

  18. What adversaries do we fear? Active adversary Passive adversary Interrogative adversary • Adaptively query a server • Eavesdrop on traf fi c • Modify/inject traf fi c, man-in-the-middle attack A system must AT LEAST protect against the interrogative adversary!

  19. Interrogative adversary • Adaptively query a Web server a reasonable number of times • Treat server as an oracle for an adaptive chosen message attack • Extremely limited, but surprisingly powerful

  20. Types of breaks • Replay • Existential forgery • Selective forgery • Total break

  21. The cookie crumbles... Many Web sites that have invented their own homebrew cookie-based authentication schemes.

  22. Case studies of Web authentication • Lack of cryptography: HighSchoolAlumni.com • Trusting user input: Instant Shop • Leaking secrets: SprintPCS.com • Predictable sequence numbers: FatBrain.com • Missing authentication check: BlueMartini • Misuse of cryptography: WSJ.com

  25. Lack of cryptography • Site: HighSchoolAlumni.com • Problem: No cryptographic authentication • Adversary: Interrogative • Break: Universal forgery • Today: Sold to another reunion site

  27. Instant Shop: What’s inside < form action=commit sale.cgi > < input type=hidden name=item1 value=10 > Batteries $10 < input type=hidden name=item2 value=99 > Biology textbook $99 < input type=hidden name=item3 value=25 > Britney Spears CD $25 < input type=submit > Con fi rm purchase < /form >

  28. Instant Shop: Malicious user < form action=commit sale.cgi > < input type=hidden name=item1 value=0 > Batteries $10 < input type=hidden name=item2 value=0 > Biology textbook $99 < input type=hidden name=item3 value=0 > Britney Spears CD $25 < input type=submit > Con fi rm purchase < /form >

  29. Trusting user input • Site: Instant Shop • Problem: Server trusts users not to modify HTML variables • Adversary: Interrogative • Today: Out of business

  32. Leaking secrets • Site: SprintPCS.com • Problem: Secure content can leak through plaintext channels • Adversary: Eavesdropper • Break: Replay • Today: A leading provider of mobile phone service...

  35. FatBrain URL authenticator Start: https://www.fatbrain.com/HelpAccount.asp? t=0&p1=attacker@mit.edu&p2=540555758 Try: https://www.fatbrain.com/HelpAccount.asp? ! t=0&p1=victim@mit.edu&p2=540555757 Target: https://www.fatbrain.com/HelpAccount.asp? t=0&p1=victim@mit.edu&p2=540555752

  36. FatBrain URL authenticator Start: https://www.fatbrain.com/HelpAccount.asp? t=0&p1=attacker@mit.edu&p2=540555758 Try: https://www.fatbrain.com/HelpAccount.asp? ! t=0&p1=victim@mit.edu&p2=540555756 Target: https://www.fatbrain.com/HelpAccount.asp? t=0&p1=victim@mit.edu&p2=540555752

  37. FatBrain URL authenticator Start: https://www.fatbrain.com/HelpAccount.asp? t=0&p1=attacker@mit.edu&p2=540555758 Try: https://www.fatbrain.com/HelpAccount.asp? ! t=0&p1=victim@mit.edu&p2=540555755 Target: https://www.fatbrain.com/HelpAccount.asp? t=0&p1=victim@mit.edu&p2=540555752

  38. FatBrain URL authenticator Start: https://www.fatbrain.com/HelpAccount.asp? t=0&p1=attacker@mit.edu&p2=540555758 Try: https://www.fatbrain.com/HelpAccount.asp? ! t=0&p1=victim@mit.edu&p2=540555754 Target: https://www.fatbrain.com/HelpAccount.asp? t=0&p1=victim@mit.edu&p2=540555752

  39. FatBrain URL authenticator Start: https://www.fatbrain.com/HelpAccount.asp? t=0&p1=attacker@mit.edu&p2=540555758 Try: https://www.fatbrain.com/HelpAccount.asp? ! t=0&p1=victim@mit.edu&p2=540555753 Target: https://www.fatbrain.com/HelpAccount.asp? t=0&p1=victim@mit.edu&p2=540555752

  40. FatBrain URL authenticator Start: https://www.fatbrain.com/HelpAccount.asp? t=0&p1=attacker@mit.edu&p2=540555758 Try: https://www.fatbrain.com/HelpAccount.asp? " t=0&p1=victim@mit.edu&p2=540555752 Target: https://www.fatbrain.com/HelpAccount.asp? t=0&p1=victim@mit.edu&p2=540555752

  41. Predictable sequence numbers • Site: FatBrain.com • Problem: Customer can determine the authenticator for any other user • Adversary: Interrogative • Break: Selective forgery • Today: Acquired by Barnes & Noble

  42. FatBrain response “It’s frustrating that programmers ... continue to fall prey to the same old tricks. Simple problems like lazy sequence numbers and buffer over fl ows in most cases can be easily eliminated if we as programmers would be a little vigilant about sound design and solid code reviews. I just *love* being at work on a Friday at midnight managing unscheduled production releases. :)”

  43. Missing authentication check • Sites: saks fi fthavenue.com, kohls.com, iomega.com, et al • Problem: Customers can download order history of all users • Adversary: Interrogative • Break: Universal forgery • Today: The sites have added the check

  44. BlueMartini: missing authentication check https://www.saks fi fthavenue.com/ POST /myaccount/order history new.jsp HTTP/1.0 Host: www.saks fi fthavenue.com bmForm=order history new& bmHidden=VIEW ORDER <> & VIEW ORDER <> orh id=12366456

  46. WSJ.com login process • User enters name and password • If the password is correct, WSJ.com issues a cookie • User surfs to restricted content and attaches cookie • If the cookie is authentic, WSJ.com returns content

  47. WSJ.com analysis • Design: cookie = { user, MACk (user) } • Reality: cookie = user + UNIX-crypt (user + server secret)

  48. WSJ.com analysis cont. username crypt() Output Authenticator cookie bitdiddl MaRdw2J1h6Lfc bitdiddlMaRdw2J1h6Lfc bitdiddle MaRdw2J1h6Lfc bitdiddleMaRdw2J1h6Lfc • Usernames matching fi rst 8 characters have same authenticator • No expiration

  49. Obtaining the server secret? • Adaptive chosen message attack • Perl script queried WSJ with invalid cookies • Runs in max 128 × 8 queries rather than intended 128 8 (1024 vs. 72057594037927936) • 1 sec/query yields 17 minutes vs. 10 9 years • The key is “March20”

  50. How our attack works Secret guess username crypt input worked? " bitdiddl bitdiddl

  51. How our attack works Secret guess username crypt input worked? " bitdiddl bitdiddl ! A bitdidd bitdiddA

  52. How our attack works Secret guess username crypt input worked? " bitdiddl bitdiddl ! B bitdidd bitdiddB

  53. How our attack works Secret guess username crypt input worked? " bitdiddl bitdiddl ! C bitdidd bitdiddC

  54. How our attack works Secret guess username crypt input worked? " bitdiddl bitdiddl ! D bitdidd bitdiddD

Recommend

TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication

TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication

TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication After the Handshake The user navigates to the sites landing page, no client authentication required. Eventually, the user requests a

69 views • 6 slides
Beyond Trust PostgreSQL Client Authentication Christoph Mnch-Tegeder 2ndQuadrant

Beyond Trust PostgreSQL Client Authentication Christoph Mnch-Tegeder 2ndQuadrant

Beyond Trust PostgreSQL Client Authentication Christoph Mnch-Tegeder 2ndQuadrant http://www.2ndquadrant.com/ 2017-02-05 Part I Authentication Why Authentication? Too complicated Nobody knows my database Nobody will attack us

813 views • 39 slides
CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID

CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID

CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID Connect. However, unlike OpenID Connect, there is direct Relying Party to OpenID Provider communication without redirects through the user's browser.

505 views • 17 slides
User Authentication using the Client Principle Object Presented By: Chris Longo User

User Authentication using the Client Principle Object Presented By: Chris Longo User

User Authentication using the Client Principle Object Presented By: Chris Longo User Authentication using the Client Principle Object Agenda What is the Client Principal Object? Why is it useful? How do I implement the CP Object?

697 views • 36 slides
Symcon Cloud Connect Cloud Connect Authentication Connect Client Goals Main goal: Building a

Symcon Cloud Connect Cloud Connect Authentication Connect Client Goals Main goal: Building a

Symcon Cloud Connect Cloud Connect Authentication Connect Client Goals Main goal: Building a reverse proxy tunneling service with an embedded SSH server and MySQL authentication Stretch goals: Beautifully rendered statistics dashboard

273 views • 4 slides
Troubleshooting Grid authentication from the client side By Adriaan van der Zee RP1 presentation

Troubleshooting Grid authentication from the client side By Adriaan van der Zee RP1 presentation

Troubleshooting Grid authentication from the client side By Adriaan van der Zee RP1 presentation 2009-02-04 Contents The Grid @NIKHEF The project Grid components and interactions X.509 certificates, proxies and delegations

257 views • 13 slides
Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication

Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication

Chair of Network Architectures and Services TUM Department of Informatics Technical University of Munich (TUM) Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication Matthias Wachs, Quirin Scheitle, and

462 views • 14 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
Moving to client-side hashing for online authentication Enka Blanchard 1 Xavier Coquand 2 Ted

Moving to client-side hashing for online authentication Enka Blanchard 1 Xavier Coquand 2 Ted

Moving to client-side hashing for online authentication Enka Blanchard 1 Xavier Coquand 2 Ted Selker 3 Digitrust, Loria, Universit e de Lorraine, www.koliaza.com Bsecure, Paris University of Maryland, Baltimore County 9th International

1.02k views • 18 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Defeating TLS client authentication using fault attacks Who are we ? R&amp;D dept. @

Defeating TLS client authentication using fault attacks Who are we ? R&amp;D dept. @

Defeating TLS client authentication using fault attacks Who are we ? R&amp;D dept. @ Security Evaluation Kudelski Security Lab @ Kudelski IoT Embedded systems Hardware attacks security research Glitch / EM Reverse

889 views • 51 slides
Client puzzles for denial-of-service resistant authentication Joint work with Juan Gonzalez,

Client puzzles for denial-of-service resistant authentication Joint work with Juan Gonzalez,

Client puzzles for denial-of-service resistant authentication Joint work with Juan Gonzalez, Lakshmi Kuppusamy, Jothi Rangasamy, Douglas Stebila, Suriadi Suriadi Colin Boyd Information Security Institute Queensland University of Technology

560 views • 32 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K.

Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K.

Introduction Client Authentication Downgrade Attack Channel Binding Conclusion Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K. Bhargavan (Inria) Transcript collision Attacks Dagstuhl 16012 1 / 20

370 views • 33 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
EAP Client-side Transport draft-boursetty-eap-cst-00.txt IETF 57 EAP WG July 2003 A typical EAP

EAP Client-side Transport draft-boursetty-eap-cst-00.txt IETF 57 EAP WG July 2003 A typical EAP

EAP Client-side Transport draft-boursetty-eap-cst-00.txt IETF 57 EAP WG July 2003 A typical EAP setup Access Target Client NAS Network Network AAA server S 2 A new EAP setup Authentication AuthToken AuthServer Integrity Client

628 views • 7 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password Token-based authentication Third party authentication Local Authentication How to store and verify password? Clear Data can be hacked

615 views • 14 slides
Multi-Threaded Servers December 6, 2007 1 Client-Server Communication Client Client Client

Multi-Threaded Servers December 6, 2007 1 Client-Server Communication Client Client Client

Multi-Threaded Servers December 6, 2007 1 Client-Server Communication Client Client Client Client Client Client Client Client Client Google Client Client Client Client Client Client Many clients; 1 server Server starts and then

333 views • 6 slides
The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch Security Engineer kbabioch@suse.de New authentication standards ... 2 Some authentication technologies ... 3 - Authentication theory -

1.28k views • 88 slides
Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239 Authentication on a single machine Computer Security Authentication across a network February 21, 2007 Lecture 9 Lecture 9 Page 1 Page 2 CS 236,

302 views • 8 slides
Security II: Web authentication Such text-based protocols can be demonstrated via generic TCP

Security II: Web authentication Such text-based protocols can be demonstrated via generic TCP

Hyper Text Transfer Protocol (HTTP) version 0.9 With HTTP, a client (web browser) contacts a server on TCP port 80, sends a request line and receives a response file. Security II: Web authentication Such text-based protocols can be

383 views • 7 slides
I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform Agenda Authentication Inbound authentication Outbound authentication Single Sign-on Definitions Stage Process Method Physical

781 views • 48 slides

More recommend